Cybersecurity guard for core network elements

ABSTRACT

When a network element attempts to establish a session with another network element, a security verification agent may be activated in one or both network elements. The security verification agents, such as front-end processors, virtual network functions, or other software agents, may reside in each of the network elements.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Pat. Application Serial No.16/391,944 filed on Apr. 23, 2019. All sections of the aforementionedapplication are incorporated herein by reference in their entirety.

BACKGROUND

In computers and computer networks an attack is any attempt to expose,alter, disable, destroy, steal, or gain unauthorized access to or makeunauthorized use of an asset. A cyberattack is any type of offensivemaneuver that targets computer information systems, infrastructures,computer networks, or personal computer devices. An attacker is a personor process that attempts to access data, functions or other restrictedareas of the system without authorization, potentially with maliciousintent. Depending on context, cyberattacks can be part of cyberwarfareor cyberterrorism. A cyberattack can be employed by nation-states,individuals, groups, society, or organizations. A cyberattack mayoriginate from an anonymous source.

With the increasing demand from consumers and businesses for fasterInternet access along with a decreasing cost of computers and anexpansion of technology around the world, threats of cyber-attacks areon the rise. This disclosure is directed to addressing issues in theexisting technology.

SUMMARY

Disclosed herein is subject matter that may address issues withcybersecurity threats, such as advance persistent threats (APT), forcore network elements.

In an example, an apparatus may include a processor and a memory coupledwith the processor that effectuates operations. The operations mayinclude obtaining, by a second core network element, a control planerequest from a first core network element; based on the control planerequest, pausing processing of the control plane request on the secondcore network element; and activating a security agent of the second corenetwork element to generate a query for a security verification. Theoperations further comprising: sending the query for the securityverification to a security verification device; and responsive tosending the query, receiving an alert message from the securityverification device that indicates the validation status of the firstnetwork element.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter. Furthermore,the claimed subject matter is not limited to limitations that solve anyor all disadvantages noted in any part of this disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

Reference will now be made to the accompanying drawings, which are notnecessarily drawn to scale.

FIG. 1 illustrates an exemplary network that may incorporate an evolvedpacket core (EPC) guard for core network elements.

FIG. 2 illustrates an exemplary method that may incorporate an EPC guardfor core network elements.

FIG. 3 illustrates another exemplary method that may incorporate an EPCguard for core network elements.

FIG. 4 illustrates a schematic of an exemplary network device.

FIG. 5 illustrates an exemplary communication system that provideswireless telecommunication services over wireless communicationnetworks.

FIG. 6A is a representation of an exemplary network.

FIG. 6B is a representation of an exemplary hardware platform for anetwork.

DETAILED DESCRIPTION

Disclosed herein is subject matter that may address issues withcybersecurity threats, such as advance persistent threats (APT), forcore network elements. APTs are malicious programs or functions that areinserted by bad actors into computing devices. These threats may persistover a long period of time without being detected.

The disclosed capability is termed the EPC guard. It may operate asfollows. When a network element attempts to establish a session withanother EPC network element the EPC Guard may be activated in one orboth network elements. The EPC guard agents (e.g., front end processors,virtual network functions, or other software agents) may reside in eachof the network elements, such as the MME, HSS, EPCG, SGW, PGW, etc.

The EPC Guard agents in the network element being requested may query amaster EPC guard (MEG). The MEG compares the number forwarded by thenetwork element requesting service to a numerical hash value (or anothercryptographic value) stored in the MEG database. In an example, if thenumbers compare accurately, then no changes to the image of therequesting element have been performed and the request is allowed to gothrough. If the numbers do not compare, then the system has the optionof rejecting the request, or alerting a security incident and eventmanagement (SIEM) platform of the possibility of cybersecurity threat inthe EPC core network. The value of having an EPC guard system mayinclude ensuring the integrity of EPC carrier operations by detectingcybersecurity threats in the carrier core.

FIG. 1 illustrates an exemplary network 100 that may incorporate anevolved packet core (EPC) guard for core network elements. Although theterm EPC guard is used it is contemplated that the disclosed subjectmatter may apply 5G or the like wireless systems and may be generallyreferred to as core network guard. User network 101 may becommunicatively connected with access network 102. User network 101 mayinclude user equipment (e.g., mobile devices), routers, switches, orother customer premise equipment. Access network 102 may include gatewayrouters, gateway switches, or base stations (e.g., eNodeBs or gNodeBs),among other things. Access network 102 may be communicatively connectedwith core network 103. Core network 103 may include devices such as amobility management entity (MME) 111, a home subscriber server (HSS)112, serving gateway (SGW) 113, packet data network gateway (PGW) 114,policy or charging rules function (PCRF) 115, or the like. Each networkelement may include an EPC guard agent, such as EPC guard agent 121 ofMME 111 or EPC guard agent 122 of HSS 112. The network elements of corenetwork 103 may be communicatively connected as shown and furtherconnected with a master EPC guard (MEG) 116. Core network 103 may becommunicatively connected with one or more other networks 104.

FIG. 2 illustrates an exemplary method that may incorporate an EPC guardfor core network elements. At step 131, MME 111 (e.g., a first networkelement) may attempt to establish a session or issue a request to HSS112 (e.g., a second network element). For example, MME 111 may issue anSS7 request to HSS 112, which may be a request for an authenticationvector. At step 132, based on the request of step 131, EPC guard agent121 or EPC guard agent 122 may be activated. In a first scenario, whenHSS 112 receives the request of step 131 it may not fully process therequest and activate EPC guard agent 122. EPC guard agent may beactivated based on the type of request, the source of the request, orother factors. In an example, if the source of the request is from atrusted network (e.g., a network that has been cleared of threats withina day or other period) then EPC guard agent 122 may not be activated.Another example may be an MME owned by an external or foreign carrierasking for an authentication vector for a user who is roaming. In thesecases, the EPC guard 122 may ask for additional security measures, suchas the cryptographic number. In another example, EPC guard agent 122 maybe activated based on a type of request, such as a request associatedwith control signaling of core network elements. Here it iscontemplated, when EPC guard agent 122 is activated, a query message(also referred to as query) may be generated. A query may be a requestfor a policy control parameter from the PCRF network element. Anotherquery may be a request to the Location Based Services (LBS) networkelement.

At step 133, based on step 132, EPC guard agent 122 may send the queryto MEG 116. At step 134, MEG 116 determines whether there are changes tothe image of MME 111. MEG 116 may be considered a repository ofcryptographically generated numbers associated with each networkelement. These cryptographic values may be generated when a networkelement is originally introduced in the network. The cryptographicvalues are generated via numerical hashes, cryptographic algorithms suchas advanced encryption standard (AES), or the like. The cryptographicvalues may represent the unmodified state of the network element. When aquery is obtained by MEG 116, it may fetch the cryptographic value ofMME 111. MEG 116 compares the number associated with MME 111 forwardedby EPC guard agent 122 with a numerical hash value (or anothercryptographic value) stored in MEG 116. The number is a cryptographicvalue that represents the true or unmodified state of the networkelement. When the network element gets an authorized software upgrade orthe like, there may be a change control mechanism for authorizedsoftware upgrades. The change control would involve changing thecryptographic value of the network element.

At step 135, based the determination of step 134, an alert is provided.If the numbers of step 134 appropriately match, then it may bedetermined that no changes to the image of the requesting element havebeen performed and an alert may be sent to HSS 112 to allow for normalprocessing of the request of step 131 from MME 111. In this example, therequest for an HSS authentication vector supporting subscriberauthentication is provided. If the numbers of step 134 do notappropriately match, then it may be determined that changes to the imageof the requesting element has been performed an alert may be sent to HSS112 to reject the request of step 131 from MME 111, indicate a threat(e.g., advanced persistent threat) for MME 111, or shutdown MME 111,while rerouting communications through another MME, among other things.

FIG. 3 illustrates another exemplary method that may incorporate an EPCguard for core network elements. At step 141, MME 111 (e.g., a firstnetwork element) may attempt to establish a session or issue a requestto HSS 112 (e.g., a second network element). For example, MME 111 mayissue an SS7 request to HSS 112, which may be a request for anauthentication vector. At step 142, based on the request of step 141,EPC guard agent 121 or EPC guard agent 122 may be activated. In a secondscenario, when MME 111 generates the request to HSS 112, EPC guard agent121 may also generate a query to MEG 116. The query may be to check theimage of MME 111 and HSS 112. Simultaneously or before the request ofstep 141 is sent to HSS 112, EPC guard 121 may be activated to generatea query (step 142) and send the query to MEG 116 (step 143). This mayhelp to proactively check the image for HSS 112 when communicating backwith MME 111 and further expedite the check of MME 111 for HSS 112. Thequery of this step may provide cryptographical information of MME 111and also provide just an indication to activate EPC guard 122 to provideits own query. It is contemplated that measures should be taken toappropriately wall off EPC guard 121 from operations of the networkelements. EPC guard 121 may be a virtual machine, a separate device,virtual network function, or the like. EPC guard agent 121, for themethod of FIG. 3 , may be activated based on the type of request, thesource of the request, or other factors. Factors may include the numberof users supported by a network element, the time of day, whether thereis above average data traffic, connections, or transactions associatedwith a network element, whether there is below average data traffic,connections, or transactions associated with a network element, qualityservice level of the service, or number of dropped packets to or from anetwork element, among other things.

At step 143, based on step 142, EPC guard agent 121 may send the queryto MEG 116. At step 144, MEG 116 determines whether there are changes tothe image of MME 111. When a query is obtained by MEG 116, it may fetchthe cryptographic value of MME 111. MEG 116 compares the numberassociated with MME 111 forwarded by EPC guard agent 121 or EPC guardagent 122 with a numerical hash value (or another cryptographic value)stored in MEG 116.

At step 145, based the determination of step 144, an alert is provided.If the numbers of step 144 appropriately match, then it may bedetermined that no changes to the image of the requesting element havebeen performed and an alert may be sent to HSS 112 to allow for normalprocessing of the request of step 141 from MME 111. In addition, analert may be sent to MME 111 to allow for normal processing ofsubsequent related requests associated with step 141 from HSS 112. Ifthe numbers of step 144 do not appropriately match, then it may bedetermined that changes to the image of the requesting element has beenperformed an alert may be sent to MME 111 or HSS 112 to rejectcommunications associated with step 141, indicate a threat (e.g.,advanced persistent threat) for MME 111 or HSS 112, or shutdown MME 111or HSS 112, while rerouting communications through another MME or HSS,among other things.

The disclosed methods of FIG. 2 and FIG. 3 mention specific networkelements, but it is contemplated herein that the method may be appliedto any number of network elements which may be in the core network 103,access network 102, or other network 104, among others. It is furthercontemplated that core network elements should implement additionalsecurity measures based on the general growth of cyber attacks and cyberwarfare.

Network elements which form the Evolved Packet Core (EPC) or carriernetworks usually do not have internal validation of the integrity oftheir software. In other words, there are no functions that validatewhether or not the software in a network element has been changed by amalicious actor. When software is changed in an EPC core network elementsuch as an MME, HSS, SGW, PGW, etc., without knowledge or authorizationfrom the vendor or the carrier, malicious code may have been inserted.Malicious actors, such as state sponsored hackers, may insertprogrammatic changes (APTs) that may go undetected for a long period(e.g., months or years) before their presence is noticed. The lack ofdetection of APTs in the EPC core is particularly concerning whenmalicious actors execute data collection or modification actions onsensitive network elements such as the HSS which is the repository ofsubscriber information or Communications Assistance for Law EnforcementAct (CALEA) network elements where sensitive information is forwarded tolaw enforcement agencies.

The EPC guard agents may take several forms: hardware front endprocessors, virtual machines, Virtual Network Functions, softwareelements imbedded in the network operation system are several variationspossible.

It is further contemplated herein that blockchain may be used tovalidate elements. In an example, in a 5G environment may have millionsuser plane network elements in which there is a need to ensure that theyare the correct ones (e.g., have the authorized images). Through the useof logs and blockchain the changes may be kept track of and validate theintegrity of network elements. MEG 116 may be considered a repositorythat houses the hash values or block chain records. For additionalperspective, blockchain provides a cryptographic ledger. A blockchaincontains a cryptographic hash value. The blockchain implemented mayinclude a cryptographic representation of the previous state of thenetwork element In addition, the blockchain may include a hash value ofthe modified network element. Every time a network element is modified,a new hash value is created, and a new block is written in the chain asa log of a timestamp and the new hash value. Thus, the blockchaincontains a series of cryptographic values representing the state of themachine very time that it was modified. The cryptographic blocks pointbackward and forward to each other block and the blockchain creates acryptographic ledger that cannot be modified.

Note that a session may involve multiple requests. A session may alsorequire a “login” to a network element as opposed to issuing a request.It may not be practical to establish a session when there maypotentially thousands of one time short lived requests to a networkelement. An example of a request may be a message from a control planeMME to a control plane HSS requesting an authentication vector. Anexample of a session may be a network element attempting to establish asession with an IMS Network Element such as Voice over LTE or VOLTEservices.

Also note that in 5G network elements may be considered “images” thatare stored in containers. In other words, they may be considered not“real” machines but rather virtual network functions (VNFs). These VNFsare in essence virtual machines. However, in 5G traditional VMs are notused. Rather, for efficiency purposes, images are used to representVNFs. These images may be moved in and out of worker machines whoconduct the real work processed. The images are stored in containers.Containers may be considered programs which provide the work environmentso images can be moved in an out for execution in worker nodes Theprocess of creating “worker nodes” and moving images in and out ofcontainers residing in worker nodes is called “orchestration”.

Disclosed herein is a mechanism is envisioned so potentially thousandsor eventually millions of virtual network elements have a cryptographicmethod of validation to ensure that malicious actors do not tamper withthese VNFs. Service providers don’t want foreign malicious actorsmodifying network functions that reside on customer premises or carriercontrol networks. If they are successful in modifying these functions,then carrier integrity is compromised. In previous networks, this wasmore difficult because carriers had “real machines” that needed to beaccessed and internal networks with limited exposure to the Internet.This is less true in 5G. There will be thousands or eventually millionsof VNFs that are exposed to the Internet and malicious attacks.

FIG. 4 is a block diagram of network device 300 that may be connected toor comprise a component of system 100 of FIG. 1 . Network device 300 maycomprise hardware or a combination of hardware and software. Thefunctionality to facilitate telecommunications via a telecommunicationsnetwork may reside in one or combination of network devices 300. Networkdevice 300 depicted in FIG. 4 may represent or perform functionality ofan appropriate network device 300, or combination of network devices300, such as, for example, a component or various components of acellular broadcast system wireless network, a processor, a server, agateway, a node, a mobile switching center (MSC), a short messageservice center (SMSC), an automatic location function server (ALFS), agateway mobile location center (GMLC), a radio access network (RAN), aserving mobile location center (SMLC), or the like, or any appropriatecombination thereof. It is emphasized that the block diagram depicted inFIG. 4 is exemplary and not intended to imply a limitation to a specificimplementation or configuration. Thus, network device 300 may beimplemented in a single device or multiple devices (e.g., single serveror multiple servers, single gateway or multiple gateways, singlecontroller or multiple controllers). Multiple network entities may bedistributed or centrally located. Multiple network entities maycommunicate wirelessly, via hard wire, or any appropriate combinationthereof.

Network device 300 may comprise a processor 302 and a memory 304 coupledto processor 302. Memory 304 may contain executable instructions that,when executed by processor 302, cause processor 302 to effectuateoperations associated with mapping wireless signal strength. As evidentfrom the description herein, network device 300 is not to be construedas software per se.

In addition to processor 302 and memory 304, network device 300 mayinclude an input/output system 306. Processor 302, memory 304, andinput/output system 306 may be coupled together (coupling not shown inFIG. 4 ) to allow communications between them. Each portion of networkdevice 300 may comprise circuitry for performing functions associatedwith each respective portion. Thus, each portion may comprise hardware,or a combination of hardware and software. Accordingly, each portion ofnetwork device 300 is not to be construed as software per se.Input/output system 306 may be capable of receiving or providinginformation from or to a communications device or other network entitiesconfigured for telecommunications. For example input/output system 306may include a wireless communications (e.g., 3G/4G/GPS) card.Input/output system 306 may be capable of receiving or sending videoinformation, audio information, control information, image information,data, or any combination thereof. Input/output system 306 may be capableof transferring information with network device 300. In variousconfigurations, input/output system 306 may receive or provideinformation via any appropriate means, such as, for example, opticalmeans (e.g., infrared), electromagnetic means (e.g., RF, Wi-Fi,Bluetooth®, ZigBee®), acoustic means (e.g., speaker, microphone,ultrasonic receiver, ultrasonic transmitter), or a combination thereof.In an example configuration, input/output system 306 may comprise aWi-Fi finder, a two-way GPS chipset or equivalent, or the like, or acombination thereof.

Input/output system 306 of network device 300 also may contain acommunication connection 308 that allows network device 300 tocommunicate with other devices, network entities, or the like.Communication connection 308 may comprise communication media.Communication media typically embody computer-readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism and includesany information delivery media. By way of example, and not limitation,communication media may include wired media such as a wired network ordirect-wired connection, or wireless media such as acoustic, RF,infrared, or other wireless media. The term computer-readable media asused herein includes both storage media and communication media.Input/output system 306 also may include an input device 310 such askeyboard, mouse, pen, voice input device, or touch input device.Input/output system 306 may also include an output device 312, such as adisplay, speakers, or a printer.

Processor 302 may be capable of performing functions associated withtelecommunications, such as functions for processing broadcast messages,as described herein. For example, processor 302 may be capable of, inconjunction with any other portion of network device 300, determining atype of broadcast message and acting according to the broadcast messagetype or content, as described herein.

Memory 304 of network device 300 may comprise a storage medium having aconcrete, tangible, physical structure. As is known, a signal does nothave a concrete, tangible, physical structure. Memory 304, as well asany computer-readable storage medium described herein, is not to beconstrued as a signal. Memory 304, as well as any computer-readablestorage medium described herein, is not to be construed as a transientsignal. Memory 304, as well as any computer-readable storage mediumdescribed herein, is not to be construed as a propagating signal. Memory304, as well as any computer-readable storage medium described herein,is to be construed as an article of manufacture.

Memory 304 may store any information utilized in conjunction withtelecommunications. Depending upon the exact configuration or type ofprocessor, memory 304 may include a volatile storage 314 (such as sometypes of RAM), a nonvolatile storage 316 (such as ROM, flash memory), ora combination thereof. Memory 304 may include additional storage (e.g.,a removable storage 318 or a non-removable storage 320) including, forexample, tape, flash memory, smart cards, CD-ROM, DVD, or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, USB-compatible memory, or any othermedium that can be used to store information and that can be accessed bynetwork device 300. Memory 304 may comprise executable instructionsthat, when executed by processor 302, cause processor 302 to effectuateoperations to map signal strengths in an area of interest.

FIG. 5 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system 500 within which a set of instructions,when executed, may cause the machine to perform any one or more of themethods described above. One or more instances of the machine canoperate, for example, as processor 302, UE, eNB, MME 111, SGW 113, HSS112, PCRF 115, PGW 114 and other devices of FIG. 1 . In someembodiments, the machine may be connected (e.g., using a network 502) toother machines. In a networked deployment, the machine may operate inthe capacity of a server or a client user machine in a server-clientuser network environment, or as a peer machine in a peer-to-peer (ordistributed) network environment.

The machine may comprise a server computer, a client user computer, apersonal computer (PC), a tablet, a smart phone, a laptop computer, adesktop computer, a control system, a network router, switch or bridge,or any machine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. It will beunderstood that a communication device of the subject disclosureincludes broadly any electronic device that provides voice, video ordata communication. Further, while a single machine is illustrated, theterm “machine” shall also be taken to include any collection of machinesthat individually or jointly execute a set (or multiple sets) ofinstructions to perform any one or more of the methods discussed herein.

Computer system 500 may include a processor (or controller) 504 (e.g., acentral processing unit (CPU)), a graphics processing unit (GPU, orboth), a main memory 506 and a static memory 508, which communicate witheach other via a bus 510. The computer system 500 may further include adisplay unit 512 (e.g., a liquid crystal display (LCD), a flat panel, ora solid state display). Computer system 500 may include an input device514 (e.g., a keyboard), a cursor control device 516 (e.g., a mouse), adisk drive unit 518, a signal generation device 520 (e.g., a speaker orremote control) and a network interface device 522. In distributedenvironments, the embodiments described in the subject disclosure can beadapted to utilize multiple display units 512 controlled by two or morecomputer systems 500. In this configuration, presentations described bythe subject disclosure may in part be shown in a first of display units512, while the remaining portion is presented in a second of displayunits 512.

The disk drive unit 518 may include a tangible computer-readable storagemedium 524 on which is stored one or more sets of instructions (e.g.,software 526) embodying any one or more of the methods or functionsdescribed herein, including those methods illustrated above.Instructions 526 may also reside, completely or at least partially,within main memory 506, static memory 508, or within processor 504during execution thereof by the computer system 500. Main memory 506 andprocessor 504 also may constitute tangible computer-readable storagemedia.

FIG. 6A is a representation of an exemplary network 600. Network 600(e.g., network 100) may comprise an SDN-that is, network 600 may includeone or more virtualized functions implemented on general purposehardware, such as in lieu of having dedicated hardware for every networkfunction. That is, general purpose hardware of network 600 may beconfigured to run virtual network elements to support communicationservices, such as mobility services, including consumer services andenterprise services. These services may be provided or measured insessions.

A virtual network functions (VNFs) 602 may be able to support a limitednumber of sessions. Each VNF 602 may have a VNF type that indicates itsfunctionality or role. For example, FIG. 6A illustrates a gateway VNF602 a and a policy and charging rules function (PCRF) VNF 602 b.Additionally or alternatively, VNFs 602 may include other types of VNFs.Each VNF 602 may use one or more virtual machines (VMs) 604 to operate.Each VM 604 may have a VM type that indicates its functionality or role.For example, FIG. 6A illustrates a management control module (MCM) VM604 a, an advanced services module (ASM) VM 604 b, and a DEP VM 604 c.Additionally or alternatively, VMs 604 may include other types of VMs.Each VM 604 may consume various network resources from a hardwareplatform 606, such as a resource 608, a virtual central processing unit(vCPU) 608 a, memory 608 b, or a network interface card (NIC) 608 c.Additionally or alternatively, hardware platform 606 may include othertypes of resources 608.

While FIG. 6A illustrates resources 608 as collectively contained inhardware platform 606, the configuration of hardware platform 606 mayisolate, for example, certain memory 608 c from other memory 608 c. FIG.6B provides an exemplary implementation of hardware platform 606.

Hardware platform 606 may comprise one or more chasses 610. Chassis 610may refer to the physical housing or platform for multiple servers orother network equipment. In an aspect, chassis 610 may also refer to theunderlying network equipment. Chassis 610 may include one or moreservers 612. Server 612 may comprise general purpose computer hardwareor a computer. In an aspect, chassis 610 may comprise a metal rack, andservers 612 of chassis 610 may comprise blade servers that arephysically mounted in or on chassis 610.

Each server 612 may include one or more network resources 608, asillustrated. Servers 612 may be communicatively coupled together (notshown) in any combination or arrangement. For example, all servers 612within a given chassis 610 may be communicatively coupled. As anotherexample, servers 612 in different chasses 610 may be communicativelycoupled. Additionally or alternatively, chasses 610 may becommunicatively coupled together (not shown) in any combination orarrangement..

The characteristics of each chassis 610 and each server 612 may differ.For example, FIG. 6B illustrates that the number of servers 612 withintwo chasses 610 may vary. Additionally or alternatively, the type ornumber of resources 610 within each server 612 may vary. In an aspect,chassis 610 may be used to group servers 612 with the same resourcecharacteristics. In another aspect, servers 612 within the same chassis610 may have different resource characteristics.

Given hardware platform 606, the number of sessions that may beinstantiated may vary depending upon how efficiently resources 608 areassigned to different VMs 604. For example, assignment of VMs 604 toparticular resources 608 may be constrained by one or more rules. Forexample, a first rule may require that resources 608 assigned to aparticular VM 604 be on the same server 612 or set of servers 612. Forexample, if VM 604 uses eight vCPUs 608 a, 1 GB of memory 608 b, and 2NICs 608 c, the rules may require that all of these resources 608 besourced from the same server 612. Additionally or alternatively, VM 604may require splitting resources 608 among multiple servers 612, but suchsplitting may need to conform with certain restrictions. For example,resources 608 for VM 604 may be able to be split between two servers612. Default rules may apply. For example, a default rule may requirethat all resources 608 for a given VM 604 must come from the same server612.

An affinity rule may restrict assignment of resources 608 for aparticular VM 604 (or a particular type of VM 604). For example, anaffinity rule may require that certain VMs 604 be instantiated on (thatis, consume resources from) the same server 612 or chassis 610. Forexample, if VNF 602 uses six MCM VMs 604 a, an affinity rule may dictatethat those six MCM VMs 604 a be instantiated on the same server 612 (orchassis 610). As another example, if VNF 602 uses MCM VMs 604 a, ASM VMs604 b, and a third type of VMs 604, an affinity rule may dictate that atleast the MCM VMs 604 a and the ASM VMs 604 b be instantiated on thesame server 612 (or chassis 610). Affinity rules may restrict assignmentof resources 608 based on the identity or type of resource 608, VNF 602,VM 604, chassis 610, server 612, or any combination thereof.

An anti-affinity rule may restrict assignment of resources 608 for aparticular VM 604 (or a particular type of VM 604). In contrast to anaffinity rule—which may require that certain VMs 604 be instantiated onthe same server 612 or chassis 610—an anti-affinity rule requires thatcertain VMs 604 be instantiated on different servers 612 (or differentchasses 610). For example, an anti-affinity rule may require that MCM VM604 a be instantiated on a particular server 612 that does not containany ASM VMs 604 b. As another example, an anti-affinity rule may requirethat MCM VMs 604 a for a first VNF 602 be instantiated on a differentserver 612 (or chassis 610) than MCM VMs 604 a for a second VNF 602.Anti-affinity rules may restrict assignment of resources 608 based onthe identity or type of resource 608, VNF 602, VM 604, chassis 610,server 612, or any combination thereof.

Within these constraints, resources 608 of hardware platform 606 may beassigned to be used to instantiate VMs 604, which in turn may be used toinstantiate VNFs 602, which in turn may be used to establish sessions.The different combinations for how such resources 608 may be assignedmay vary in complexity and efficiency. For example, differentassignments may have different limits of the number of sessions that canbe established given a particular hardware platform 606.

For example, consider a session that may require gateway VNF 602 a andPCRF VNF 602 b. Gateway VNF 602 a may require five VMs 604 instantiatedon the same server 612, and PCRF VNF 602 b may require two VMs 604instantiated on the same server 612. (Assume, for this example, that noaffinity or anti-affinity rules restrict whether VMs 604 for PCRF VNF602 b may or must be instantiated on the same or different server 612than VMs 604 for gateway VNF 602 a.) In this example, each of twoservers 612 may have sufficient resources 608 to support 10 VMs 604. Toimplement sessions using these two servers 612, first server 612 may beinstantiated with 10 VMs 604 to support two instantiations of gatewayVNF 602 a, and second server 612 may be instantiated with 9 VMs: fiveVMs 604 to support one instantiation of gateway VNF 602 a and four VMs604 to support two instantiations of PCRF VNF 602 b. This may leave theremaining resources 608 that could have supported the tenth VM 604 onsecond server 612 unused (and unusable for an instantiation of either agateway VNF 602 a or a PCRF VNF 602 b). Alternatively, first server 612may be instantiated with 10 VMs 604 for two instantiations of gatewayVNF 602 a and second server 612 may be instantiated with 10 VMs 604 forfive instantiations of PCRF VNF 602 b, using all available resources 608to maximize the number of VMs 604 instantiated.

Consider, further, how many sessions each gateway VNF 602 a and eachPCRF VNF 602 b may support. This may factor into which assignment ofresources 608 is more efficient. For example, consider if each gatewayVNF 602 a supports two million sessions, and if each PCRF VNF 602 bsupports three million sessions. For the first configuration-three totalgateway VNFs 602 a (which satisfy the gateway requirement for sixmillion sessions) and two total PCRF VNFs 602 b (which satisfy the PCRFrequirement for six million sessions)—would support a total of sixmillion sessions. For the second configuration-two total gateway VNFs602 a (which satisfy the gateway requirement for four million sessions)and five total PCRF VNFs 602 b (which satisfy the PCRF requirement for15 million sessions)-would support a total of four million sessions.Thus, while the first configuration may seem less efficient looking onlyat the number of available resources 608 used (as resources 608 for thetenth possible VM 604 are unused), the second configuration is actuallymore efficient from the perspective of being the configuration that cansupport more the greater number of sessions.

To solve the problem of determining a capacity (or, number of sessions)that can be supported by a given hardware platform 605, a givenrequirement for VNFs 602 to support a session, a capacity for the numberof sessions each VNF 602 (e.g., of a certain type) can support, a givenrequirement for VMs 604 for each VNF 602 (e.g., of a certain type), agive requirement for resources 608 to support each VM 604 (e.g., of acertain type), rules dictating the assignment of resources 608 to one ormore VMs 604 (e.g., affinity and anti-affinity rules), the chasses 610and servers 612 of hardware platform 606, and the individual resources608 of each chassis 610 or server 612 (e.g., of a certain type), aninteger programming problem may be formulated.

As described herein, a telecommunications system wherein management andcontrol utilizing a software designed network (SDN) and a simple IP arebased, at least in part, on user equipment, may provide a wirelessmanagement and control framework that enables common wireless managementand control, such as mobility management, radio resource management,QoS, load balancing, etc., across many wireless technologies, e.g. LTE,Wi-Fi, and future 5G access technologies; decoupling the mobilitycontrol from data planes to let them evolve and scale independently;reducing network state maintained in the network based on user equipmenttypes to reduce network cost and allow massive scale; shortening cycletime and improving network upgradability; flexibility in creatingend-to-end services based on types of user equipment and applications,thus improve customer experience; or improving user equipment powerefficiency and battery life-especially for simple M2M devices-throughenhanced wireless management.

While examples of a telecommunications system in which cybersecurityguard for core network elements can be processed and managed have beendescribed in connection with various computing devices/processors, theunderlying concepts may be applied to any computing device, processor,or system capable of facilitating a telecommunications system. Thevarious techniques described herein may be implemented in connectionwith hardware or software or, where appropriate, with a combination ofboth. Thus, the methods and devices may take the form of program code(i.e., instructions) embodied in concrete, tangible, storage mediahaving a concrete, tangible, physical structure. Examples of tangiblestorage media include floppy diskettes, CD-ROMs, DVDs, hard drives, orany other tangible machine-readable storage medium (computer-readablestorage medium). Thus, a computer-readable storage medium is not asignal. A computer-readable storage medium is not a transient signal.Further, a computer-readable storage medium is not a propagating signal.A computer-readable storage medium as described herein is an article ofmanufacture. When the program code is loaded into and executed by amachine, such as a computer, the machine becomes a device fortelecommunications. In the case of program code execution onprogrammable computers, the computing device will generally include aprocessor, a storage medium readable by the processor (includingvolatile or nonvolatile memory or storage elements), at least one inputdevice, and at least one output device. The program(s) can beimplemented in assembly or machine language, if desired. The languagecan be a compiled or interpreted language, and may be combined withhardware implementations.

The methods and devices associated with a telecommunications system asdescribed herein also may be practiced via communications embodied inthe form of program code that is transmitted over some transmissionmedium, such as over electrical wiring or cabling, through fiber optics,or via any other form of transmission, wherein, when the program code isreceived and loaded into and executed by a machine, such as an EPROM, agate array, a programmable logic device (PLD), a client computer, or thelike, the machine becomes an device for implementing telecommunicationsas described herein. When implemented on a general-purpose processor,the program code combines with the processor to provide a unique devicethat operates to invoke the functionality of a telecommunicationssystem.

While a telecommunications system has been described in connection withthe various examples of the various figures, it is to be understood thatother similar implementations may be used, or modifications andadditions may be made, to the described examples of a telecommunicationssystem without deviating therefrom. For example, one skilled in the artwill recognize that a telecommunications system as described in theinstant application may apply to any environment, whether wired orwireless, and may be applied to any number of such devices connected viaa communications network and interacting across the network. Therefore,a telecommunications system as described herein should not be limited toany single example, but rather should be construed in breadth and scopein accordance with the appended claims.

In describing preferred methods, systems, or apparatuses of the subjectmatter of the present disclosure – cybersecurity guard for core networkelements – as illustrated in the Figures, specific terminology isemployed for the sake of clarity. The claimed subject matter, however,is not intended to be limited to the specific terminology so selected,and it is to be understood that each specific element includes alltechnical equivalents that operate in a similar manner to accomplish asimilar purpose. In addition, the use of the word “or” is generally usedinclusively unless otherwise provided herein.

This written description uses examples to enable any person skilled inthe art to practice the claimed subject matter, including making andusing any devices or systems and performing any incorporated methods.The patentable scope is defined by the claims, and may include otherexamples that occur to those skilled in the art (e.g., skipping steps,combining steps, or adding steps between exemplary methods disclosedherein). Such other examples are intended to be within the scope of theclaims if they have structural elements that do not differ from theliteral language of the claims, or if they include equivalent structuralelements with insubstantial differences from the literal languages ofthe claims.

What is claimed:
 1. A method comprising: responsive to a control planerequest associated with a first core network element: pausing processingof the control plane request by a second core network element whileperforming a security verification; and activating, by the second corenetwork element, a security agent to generate a query for the securityverification; and determining, by the second core network element, avalidation status of the first core network element via a securityverification device according to the query for the securityverification, wherein the query includes a current value associated withthe first core network element, and wherein the security verificationdevice compares the current value with a second value representing anunmodified state of the first core network element.
 2. The method ofclaim 1, further comprising obtaining, by the second core networkelement, the control plane request from the first core network element.3. The method of claim 1, further comprising sending, by the second corenetwork element, the query for the security verification to the securityverification device.
 4. The method of claim 1, further comprisingreceiving, by the second core network element, an alert message from thesecurity verification device.
 5. The method of claim 4, wherein thealert message further indicates the validation status of the second corenetwork element.
 6. The method of claim 4, wherein the alert messageindicates that the first core network element is valid, and furthercomprising resuming processing of the control plane request by thesecond core network element.
 7. The method of claim 4, wherein the alertmessage indicates that the first core network element is not valid, andfurther comprising rejecting further processing of the control planerequest by the second core network element.
 8. The method of claim 1,wherein the security verification device includes a repository ofcryptographically generated numbers, and wherein the repositoryincludes, as the second value representing the unmodified state of thefirst core network element, a predetermined cryptographically generatednumber for the first core network element.
 9. The method of claim 1,wherein the security verification device further determines thevalidation status of the first core network element based on comparing acryptographic number of the query to a predetermined cryptographicallygenerated number for the second core network element.
 10. The method ofclaim 1, wherein performance of the steps of pausing processing andactivating the security agent are further conditioned on a qualityservice level of a service associated with the control plane request.11. A non-transitory computer readable storage medium storing computerexecutable instructions that when executed by a processing systemincluding a processor cause the processing system to perform operationscomprising: responsive to a control plane request associated with afirst core network element: pausing processing of the control planerequest by a second core network element while performing a securityverification; and activating a security agent of the second core networkelement to generate a query for the security verification; anddetermining a validation status of the first core network element via asecurity verification device according to the query for the securityverification, wherein the security verification device compares acurrent value associated with the first core network element with asecond value representing an unmodified state of the first core networkelement.
 12. The non-transitory computer readable storage medium ofclaim 11, wherein the query includes a current value associated with thefirst core network element.
 13. The non-transitory computer readablestorage medium of claim 11, wherein the operations further compriseobtaining the control plane request from the first core network element.14. The non-transitory computer readable storage medium of claim 11,wherein the operations further comprise sending the query for thesecurity verification to the security verification device.
 15. Thenon-transitory computer readable storage medium of claim 11, wherein theoperations further comprise receiving an alert message from the securityverification device, wherein the alert message indicates that the firstcore network element is valid, and wherein the operations furthercomprise resuming processing of the control plane request by the secondcore network element.
 16. The non-transitory computer readable storagemedium of claim 11, wherein the operations further comprise receiving analert message from the security verification device, wherein the alertmessage indicates that the first core network element is not valid, andwherein the operations further comprise rejecting further processing ofthe control plane request by the second core network element.
 17. Thenon-transitory computer readable storage medium of claim 11, wherein thesecurity verification device further determines the validation status ofthe first core network element based on comparing a cryptographic numberof the query to a predetermined cryptographically generated number forthe second core network element.
 18. A device, comprising: a processingsystem including a processor; and a memory that stores executableinstructions that, when executed by the processing system, facilitateperformance of operations, the operations comprising: responsive to acontrol plane request associated with a first core network element:pausing processing of the control plane request by a second core networkelement while performing a security verification; and activating asecurity agent of the second core network element to generate a queryfor the security verification; and determining a validation status ofthe first core network element from a security verification deviceaccording to the query for the security verification, a current valueassociated with the first core network element, and a second valuerepresenting an unmodified state of the first core network element. 19.The device of claim 18, wherein the security verification devicecompares the current value associated with the first core networkelement with the second value representing an unmodified state of thefirst core network element.
 20. The device of claim 18, wherein theoperations further comprise receiving an alert message from the securityverification device, wherein the alert message indicates the validationstatus of the first core network element, wherein the operations furthercomprise resuming processing of the control plane request by the secondcore network element if the validation status is valid, and wherein theoperations further comprise rejecting further processing of the controlplane request by the second core network element if the validationstatus is not valid.